Over the past week, Google has been called out for bypassing default privacy settings in both Safari and Internet Explorer in order to serve up advertising cookies. The two cases were quite different. With Safari, Google acknowledged the problem and said it was an accident. With Internet Explorer, Google said it was using the best available workaround for an outdated browser privacy technology that limits the capabilities of modern websites—and noted that thousands of other websites do much the same thing to get past IE's privacy policy.

Despite the differences, each case demonstrates one thing that may be troubling to Web users: privacy settings in browsers can be easily circumvented. There are few technological barriers preventing companies like Google and Facebook from tracking users to serve up personalized ads, and there are few legal barriers as well.

To dig into these issues, Ars spoke with Lorrie Faith Cranor, a computer science professor at Carnegie Mellon University and director of the institution's Usable Privacy and Security Laboratory. Protecting user privacy on the Web is an ongoing struggle, and one that is not going well, she said.

"Every time we come up with a technical solution that protects privacy, the websites come up with something they want to do that is broken by this privacy protection, and so they find a workaround for it and they basically break the privacy protection," she said.

Cranor played a central role in developing the privacy standard used by Internet Explorer, which is called the Platform for Privacy Preferences Project, or P3P. P3P was built in 2002 by the World Wide Web Consortium (W3C), with Cranor serving as chairperson of the P3P working group. She also authored a book on P3P that same year.

The usefulness of P3P was put under the microscope this past week. Microsoft, the only major browser vendor to use P3P, notes that it blocks third-party cookies unless presented with a Compact Policy Statement (CP) promising not to use the cookie to track the user. Microsoft accused Google of circumventing this requirement with a fake policy that says "This is not a P3P policy" and a link to a Google page describing the company's opposition to P3P.

Google fired back that it is "impractical to comply with Microsoft’s request while providing modern web functionality," such as signing into websites using one's Google account, or using Facebook's "Like" button. To prove its point, Google pointed to Cranor's own research showing that about a third of 33,000 studied sites were circumventing P3P in Internet Explorer.

Is P3P outdated?

Cranor acknowledges that standards work on P3P has been nonexistent in recent years, and that it is only implemented by Internet Explorer. That said, IE is still the world's most widely used browser, and "there is nothing about P3P that goes bad. It doesn't have a sell by date. The standard we put out in 2002 is still a perfectly good standard."

Cranor is also skeptical of the claim that Google can't devise functionality that doesn't also comply with P3P, saying "It's not obvious to me there's any fundamental reason why a proper P3P compact policy wouldn't work in that scenario."

Google noted that Cranor's research called out Microsoft's own msn.com and live.com for providing invalid P3P policy statements, and notes that the research (from 2010) also showed that "Microsoft's support website recommends the use of invalid CPs as a work-around for a problem in IE."

The report, Cranor explains, discovered several methods for circumventing P3P policy. One method is submitting a CP statement "that is clearly not a P3P policy, and that's what Google and Facebook and at one point Amazon did," she said. Other offenders had "P3P policies that were almost right but not quite," and it was unclear whether the violations were purposeful or accidental. That's the category Microsoft fell into.

But the more puzzling accusation that a Microsoft support website provided advice recommending the use of invalid P3P statements is true, Cranor said.

Microsoft had received a question from a website developer about cookies breaking website content, and the answer Microsoft provided "was put the P3P compact policy on your website, and [Microsoft] gave an example of a P3P compact policy with no mention that you should write one that matches your website and not just blindly copy this one," Cranor said. The sample policy was invalid, yet "we found that thousands of websites just copied that string and it fixed the problem on their website."

Microsoft deleted that advice shortly after the report from Cranor and her Carnegie Mellon colleagues came out in 2010, although it apparently still existed on a Spanish language version of the site as of a few days ago, she said.

Privacy tools lack teeth

While the Google said/Microsoft said battles can be occasionally entertaining, the real problem is the lack of privacy standards that are both difficult to circumvent and enforceable through legal processes. Whether there would be a legal obligation to comply with P3P is a question that "came up a lot" during the standards process a decade ago, Cranor said.

"We asked regulators from the US, Europe, Canada, Australia, lots of places this question and their response was always the same: 'To the extent that I have the authority to enforce privacy policies written in human-readable languages, English, French, German, whatever, we can use that authority to enforce computer-readable policies like P3P.' So based on that statement, we concluded that the Federal Trade Commission [in the US] can go after companies who say deceptive things in their privacy policies … and they had even more authority in some of the other countries."

Cranor has argued that Microsoft hasn't done a good job implementing P3P. But Google's use of the text "This is not a P3P policy," while understandable to a human, is clearly deceptive because it's "tricking the Internet Explorer Web browser that cant read those words … and treats it as a P3P policy and unblocks the cookie," Cranor said.

Still, Google is not the only company doing this by a long shot, and in the ten years since P3P was implemented, Cranor said, "I don't know of any regulator that has gone after a company for P3P violations."

"It's both a technical problem and a legal problem," Cranor further said. "The technical ways these things are being enforced are rather brittle. If we had good legal enforcement that would make up for the fact that the technology is brittle, because then if somebody goes ahead and breaks the technology you would have the law come swooping in to go after them. But as it is they're both brittle."

Amazon actually faced a lawsuit over its use of invalid P3P policies to trick Internet Explorer into accepting cookies. Amazon now uses a valid policy, but the lawsuit was dismissed in December.

Google is facing complaints to the FTC and a class-action lawsuit over its cookie circumvention in Safari. An advocacy group that complained to the FTC said Google's bypassing of Safari's privacy protections—which Google has now stopped—violated a previous privacy agreement with the FTC.

The FTC is the more promising venue for privacy rights advocates, Cranor says. Lawsuits filed by individuals have to show some tangible monetary harm, but the FTC isn't held to that burden.

"In the US, the lawsuits are a much more difficult way to go than having the FTC or state attorneys general handle it," Cranor said. "We don't have much in the way of privacy laws in the US."

Can Do Not Track save the day?

The Electronic Frontier Foundation (EFF) argued that Google's Safari trick proves the need for so-called "Do Not Track" technology. The likes of Firefox and Internet Explorer have implemented such functionality, and Google Chrome has a similar option called "Keep My Opt-Outs."

The idea is fairly simple: give users a button to press, having the browser send a header to all websites informing them that the user who pressed the button is not to be tracked. Do Not Track could potentially replace P3P as a standard.

But Cranor, despite serving on the EFF board, is skeptical. There are problematic questions, including what it means to track and what it means to not track. Google could argue that setting advertising-related cookies is OK because the cookies don't collect any personal information, and Facebook could say technology used to customize content for signed-in users shouldn't be subject to new restrictions, either.

Today's implementations rely on websites essentially following the honor system, and making Do Not Track a standard wouldn't necessarily change that, Cranor said.

"Like P3P, this would just be a standard and it would be in the same boat P3P was in," she said. "If the industry agrees on a standard and … we find out some companies are ignoring this and tracking you anyway, could the FTC do anything about it? I don't know. I think they'd be in an even worse position than they are with P3P, because the companies will claim 'we never even signed on to this. We didn't send any 'do not track' header, we just ignored the one you sent us.'"

Finding the right balance between privacy and functionality will be difficult, she said. Cranor noted that Microsoft's Tracking Protection Lists for IE9 are quite good at stopping websites from placing tracking cookies, preventing the kind of circumvention Google and Facebook practice. But the implementation can break functionality users want, she noted.

Chrome and Firefox also have options for blocking cookies. Some third-party companies are building browser add-ons, such as Abine and Evidon, the usability of which Cranor and colleagues examined in a recent report. Generally the tools tend to just block everything, although some vendors are working toward a more nuanced solution, she said. Cranor and her colleagues found "serious usability flaws" in all nine tools they evaluated.

"Having been involved in privacy technology now for about 15 years, I"m not optimistic that technology alone here is going to solve the problem," she said.

33 Reader Comments

Cranor acknowledges that standards work on P3P has been nonexistent in recent years, and that it is only implemented by Internet Explorer. That said, IE is still the world's most widely used browser, and "there is nothing about P3P that goes bad. It doesn't have a sell by date. The standard we put out in 2002 is still a perfectly good standard."

Except the part where only IE uses it, and it is easily circumvented? Sorry, but P3P is bad, it is well past its expiration date, and a broken standard is in no way "perfectly good."

The solution, IMO, has always involving treating all data coming from the intarwebs as hostile, and the browser rendering the data as it sees fit, and filtering all data not explicitly requested by the user. Or transmitting any data unless explicitly allowed by the user. Automated policies are all silly by nature unless they're controlling your local rendition.

IE9 Tracking Protection Lists work well and are trivially easy to configure. As far as implementation breaking functionality I want, it's one click to disable tracking protection for a site where it has an unwelcome effect. If I trust the site, I can leave it disabled, and if not, it's only one more click to re-enable it.

The other thing you can do in IE9 is block all 3rd party cookies, or set IE to prompt for them. I haven't noticed any issues whatsoever with just leaving them blocked.

But I don't think most users care enough about tracking to bother with the three-minute process of turning on Tracking Protection and adding a list or two, and changing the setting for 3rd party cookies.

The basic premise here is absurd. You cannot solve privacy issues by creating policies that companies must voluntarily follow. That is helpful, sure, but privacy is also threatened by companies and sites that have no interest in respecting or prioritizing privacy. Thus, spam.

Privacy will only be protected when it can be controlled by the user.

That means that in this case, Microsoft is to blame for leaving a well-known hole in their system. Why couldn't they patch the P3P system in IE to reject Google's "invalid" compact policy? This has existed for years and is widely exploited. If they cared, they would fix it. If too many people were using their invalid example policy, why not reject that particular example?

Likewise, browsers are only recently starting to incorporate the ability to reject or delete Flash cookies (and still don't do it well). A long-standing hole, why was it never fixed? (Adobe deserves some blame here as well. A lot of blame.)

The hole in Safari is a trickier one, but I'm not convinced that we need functionality that allows a site to silently submit a form on your behalf... It's not a longstanding issue as far as I know, but that doesn't mean Apple couldn't fix it now.

I run noscript on some of my installs. Sometimes I want to enable some functionality on a website without allowing everything. It's ridiculous the amount of third party content that is embedded on web pages these days. I can't even begin to imagine how many random cookies get picked up during a given session.

Personally, privacy settings in software that require the legal system to work are worthless. The problem is the legal system only works for companies that are one the level. But really those companies are not the ones I am worried about. Privacy settings need to be able to stand up to hostel hackers that do not care about the laws or proper implementation of the spec. So by my measure p3p is garbage and should be dropped.

Why couldn't they patch the P3P system in IE to reject Google's "invalid" compact policy? This has existed for years and is widely exploited. If they cared, they would fix it. If too many people were using their invalid example policy, why not reject that particular example?

You may have missed the last decade where everyone was complaining about MS deciding to deviate from the W3C standard for their own purpose. Yeah, there is a lot broken in a strict interpretation of the standards, but that's true for damn near everything W3C produces and yet in all other cases apparently the letter of the law should be followed.

I'm sure someone may correct me if this is wrong, but one of the problems seems to be this: I know that *some* cookies are required for websites to function correctly (storage of preferences, for example, as in, telling Techmeme I want links taken to open in a new tab). There are those *other* cookies that are nefarious, used for commercial tracking. How will rule-making be able to distinguish between types of cookies? I don't want to disable cookies entirely, as I enjoy some the convenience their use entails.

I'm sure someone may correct me if this is wrong, but one of the problems seems to be this: I know that *some* cookies are required for websites to function correctly (storage of preferences, for example, as in, telling Techmeme I want links taken to open in a new tab). There are those *other* cookies that are nefarious, used for commercial tracking. How will rule-making be able to distinguish between types of cookies? I don't want to disable cookies entirely, as I enjoy some the convenience their use entails.

Let's say you browse to http://arstechnica.com and the site wants to put a cookie on your computer for your username, your color preference, or whatever. Presumably you're OK with this since you chose to go to Ars in the first place. That's a first party cookie.

While on the site, you see an ad for XYZ Corp. XYZ wants to put a cookie on your PC so they can show you a different ad next time. That's a third party cookie since you never chose to go to the XYZ site.

You should see separate options in your browser privacy settings - one for first party cookies, and one for third. You can probably just block all third party cookies without noticeable effect, except that you'll see less ads that correspond to your searches and the type of sites you visit.

I'm sure someone may correct me if this is wrong, but one of the problems seems to be this: I know that *some* cookies are required for websites to function correctly (storage of preferences, for example, as in, telling Techmeme I want links taken to open in a new tab). There are those *other* cookies that are nefarious, used for commercial tracking. How will rule-making be able to distinguish between types of cookies? I don't want to disable cookies entirely, as I enjoy some the convenience their use entails.

Let's say you browse to http://arstechnica.com and the site wants to put a cookie on your computer for your username, your color preference, or whatever. Presumably you're OK with this since you chose to go to Ars in the first place. That's a first party cookie.

While on the site, you see an ad for XYZ Corp. XYZ wants to put a cookie on your PC so they can show you a different ad next time. That's a third party cookie since you never chose to go to the XYZ site.

You should see separate options in your browser privacy settings - one for first party cookies, and one for third. You can probably just block all third party cookies without noticeable effect, except that you'll see less ads that correspond to your searches and the type of sites you visit.

Which works just fine until conde nast decides that all accounts for their websites including reddit and arstechnica will need to log in using cookies from signon.condenast.com. So then browser makers allow exceptions if websites present information saying such and such cookies should be treated like first party cookies. Then condenast games the system by presenting information that says ads.condenast.com should also be first party cookies. And we're back to the P3P problem all over again.

One of these days someone will fake a way into serving ads from the domain you are visiting and everything will go straight to hell in a handbasket.

Couldn't you just have the web server on the domain act as a proxy? There's other problems with that approach such as bandwidth and reporting but it would solve the domain blocking issue.

Well, those problems are the reason not to do it. No point in hosting ads you can't report on, and companies are less willing to use their own BW for ad hosting.

No point in hosting ads you can't report on? Why not? Magazine and newspaper ads have always operated on this model, where advertisers know only the gross demographics of the readers but have no tracking of which individuals see the ad. It is still worth money to serve those ads. Sure, an ad with a tracking cookie is worth more, but it still serves a purpose without.

I grok the whole privacy control thing, and support that people should be able to have absolute control over who is tracking what. But ad-blocking altogether? Should auto-redirect those users to a subscription paywall.

There is a link in this article for a .pdf file showing the 'study'by Carnegie Mellon University. The applications that they used are those that are most known as used. There is probably not much reason that anybody could not use any applications,and if they did not like it try a different one. The web operates using server/client/...IP addressing etc. Of course there are 'ISPs',and Cable,then there is 'wireless' etc. There will be more to be said about the counted amount of tracking,advertisement,and/or functionality being constructed to a persons web page. I have a problem with the actual aggregation idealogue going on that portrays the virtuoso someone wants to see the most popular,or would like to continue a present pattern,or persuit. There is real problems with agregating data between disparate web viewers. Including,and not limited to liability,and subtrafuge. The legal angle is not going to resolve much,since from the begining of the ideal of a 'right to privacy',a company will only be persistant to introducing long winded 'declaratory statements'(Windows P3P) etc. That 'define their right- within your confines of right to privacy. This goes on,and on.

At a begining though,it would be settling to consider that the web,is actually 'non-advertised',and that advertisement is the exception,and not the rule. If you begin there,most of the controversy will not be prohibited from escaping your perception.

As a web browser,you can take a look at how HTML is constructed. You can actually buy a domain name,and create your own web site,and web page.

I cant see that the ideal of making remote functionality,is going to be more constructive than the difficulties do so considering it from a local functionality. Most just dont recognize that they do not get a 'Star Wars' type interface from looking at how to create web pages,and web sites for themselves. Most will not see that web pages are composed of many disparate distanted sites within HTML,and that there is constructive engagement to those distanced sites,and well as entertainment of which the context is brought to consist.

I already voluntarily pay for reddit gold, are technica, fark, and few other sites to reduce or eliminate ads. I prefer to pay a reasonable rate than to adblock and potentially hurt the sites. Somewhere along the way, the free web became an open license to archive, track and invade anything and everything about visitors. While free is good, transparency about what is collected, how it is shared and preferrably monetized would be better. If the freemium model makes sites viablity go through less unnatural acts like working with less than reputable advertisers, I don't mind subsidizing by paying.

One of these days someone will fake a way into serving ads from the domain you are visiting and everything will go straight to hell in a handbasket.

Couldn't you just have the web server on the domain act as a proxy? There's other problems with that approach such as bandwidth and reporting but it would solve the domain blocking issue.

Well, those problems are the reason not to do it. No point in hosting ads you can't report on, and companies are less willing to use their own BW for ad hosting.

No point in hosting ads you can't report on? Why not? Magazine and newspaper ads have always operated on this model, where advertisers know only the gross demographics of the readers but have no tracking of which individuals see the ad. It is still worth money to serve those ads. Sure, an ad with a tracking cookie is worth more, but it still serves a purpose without.

Not quite true. There is the Audit Bureau of Circulations that does newstand audits to determine actual magazine sales. Combine that with subscription sales and assume 1 view per sale and you have the reporting numbers you're talking about. What they don't have is the targeting knowledge about you as an individual although they've asked that demographic information for years when you sign up for a subscription.

there is nothing about P3P that goes bad. It doesn't have a sell by date. The standard we put out in 2002 is still a perfectly good standard.

What a fucking tool!

If IE is the only browser that requires this workaround, there is obviously something wrong with the standard. Never mind the fact that I have seen IE 9 break more websites than any previous update. If "Compatibility" Mode just derps, it takes hours of clicking check boxes in IE's Byzantine "advanced" options to finally find the right workaround. Of course, this usually opens up some kind of ActiveX security hole, but who cares about that?

That another thing. Compatibility Mode. I love how the description claims it fixes "older websites." That's about the most politically correct way of saying, "These websites designed their code to work with our implementation of Web standards (because ours is the only way, fuck international standards). Since we have failed at dominating the Internet, we're suddenly not going to support those shitty standards any longer. Update your websites you retards."

there is nothing about P3P that goes bad. It doesn't have a sell by date. The standard we put out in 2002 is still a perfectly good standard.

What a fucking tool!

If IE is the only browser that requires this workaround, there is obviously something wrong with the standard. Never mind the fact that I have seen IE 9 break more websites than any previous update. If "Compatibility" Mode just derps, it takes hours of clicking check boxes in IE's Byzantine "advanced" options to finally find the right workaround. Of course, this usually opens up some kind of ActiveX security hole, but who cares about that?

That another thing. Compatibility Mode. I love how the description claims it fixes "older websites." That's about the most politically correct way of saying, "These websites designed their code to work with our implementation of Web standards (because ours is the only way, fuck international standards). Since we have failed at dominating the Internet, we're suddenly not going to support those shitty standards any longer. Update your websites you retards."

IE implements a particular standard. IE also has problems. Therefor the standard has problems. Followed by ranting about the left overs from a time when IE did not follow standards. There's an awful lot of fail here.

Microsoft's "Tracking Protection Lists" simply does part of what adblock has done all along. In fact, the only decent list worth using (MS recommended too) is basically the EasyPrivacy list for Adblock Plus. I think the names of the popular content filtering addons do them injustice. Ads are just one of the many things you may block with them. Most of my custom filters have nothing to do with ads or privacy.